Think Apple computers are still malware immune? This new attack proves otherwise

A newly detected malware targeting macOS devices can steal passwords and capture iPhone backups. And it's coming from the same group believed to be responsible for the 2016 election hacks.

Image: iStock/RGBAlpha

Mac computers don't fall prey to viruses and malware—at least that's been the prevalent myth surrounding them for the past few decades. For a long time that was true but now Apple's macOS devices control a higher share of the tech market, and that makes them a ripe target.

Case in point, Bitdefender just shared preliminary research on a new form of malware that targets macOS devices and is particularly insidious. Bitdefender believes it was created by APT28, also known as Fancy Bear, the same Russian government-affiliated group behind the 2016 election hacking and leaks.

The malware, which is linked to APT28 because it is built on Xagent like its other creations, can steal passwords, capture live screenshots, and even duplicate iPhone backups.

How this new malware works

This new malware infects macOS machines through the Komplex downloader, itself a piece of malware that downloads and executes other programs used to steal data. Komplex is generally installed via spear phishing attacks and other infected DMG files and executables.

Komplex reaches out to its command and control servers, which in the case of this particular infection are named so as to throw off detection methods: They look like official Apple servers.

Once connected Komplex monitors everything that happens on the infected machine, as well as downloading modules that allow it to log keys, harvest passwords, see running lists of active processes, index files, take screenshots, and even copy iPhone backups—all without the user knowing.

Is it really Russian in origin?

Bitdefender seems confident in its assertion that this new malware originates from alleged Russian government actor APT28. "Today's sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan," it said, also indicating that a number of modules in the Xagent module for macOS and similar spyware developed by APT28 target Windows and Linux machines.

If true it at least points to where your stolen data is going: Russia. What use a government-affiliated hacking group has for your credit card numbers, passwords, iPhone backups, and other files is left up to the imagination. Regardless of what it is it isn't good news for personal or business macOS users.

How to protect your network

The seemingly unlimited amount of sensitive data one infected machine can harvest should be enough of a warning to network administrators and security professionals: Take preventive steps to stop an infection before it starts.

First, macOS machines should be prevented from downloading and executing programs that don't come from the App Store or another approved source. If users are allowed to download and run any software they wish it's only a matter of time before APT28—or some other malware producer—gains control of a machine.

Steps must also be taken to educate users on phishing prevention, best security practices, and proper use of their BYOD computer for business. Computers can't be infected if people don't make the mistakes that allow them to get that way.

Vigilance, security audits, and user education are still the only way to keep a network safe.

The 3 big takeaways for TechRepublic readers

A new form of macOS malware can harvest passwords, capture screenshots, and steal iPhone backups. It is installed via the Komplex downloader, a malware installer that typically comes from spear phishing and infected disk images.

The malware is believed to come from APT28, a Russian-backed hacking group responsible for the 2016 DNC hacks.

Preventing infections requires tight asset control and admin policies as well as user education on preventing security threats.

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays